SMS and Phone Scam
Tonight news (3rd July) had reported on SMS scams and Phone scams. What is it actually about? Why people keep falling to these scams trap? How do they do it? Why? Why? Why? Well let me share my opinion on this issue.
First here in Malaysia there are about 27 million mobile phone users here. This create opportunity for people to take chance to use to exploit or use it to take advantage of people. Now it seem that people like to be in touch anywhere and almost all the time. Mobile Phone help us to do so, so does the internet.
That is not the focus of the story, the main focus is on SMS and Phone scam. previously I posted something on it, but it was a quick write up after i got a call from a scam.I may not be a super specialist yet, just a view from someone who is in the security field.
What it is about?
Well in an easy term, SMS and Phone Scam is way of people trying to cheat you off your money. They will send SMS like ur number is selected XXXX for XXXX and won XXXXX amount of Money, Please contact XXX-XXXXXXXX back. OR Some will call your phone with the same excuse, say they from XXXX and want to give XXXXXXXX from XXXX company… It all long and Special ways that they want to attract you and glue you to the phone .In the end their target is to get your PERSONAL INFO, and PRIVATE INFO like Credit card Number, name, and Details.
How it is done?
Well there are many ways they can do it. I do not really know much how it is done but after seeing, listening and reading from papers and TV here is a simple description how it is done.
1. Some random person call/SMS your cell phone. this person Claims to be from someone respective or Some organization or some company.
2. Long or short description that attract their Prey (you). Eg: You have won Something so listen to ways to claim their the reward.
3. they get your details including CREDIT CARD number. Note this is where it is fishy. It is not safe to share information like that to people you do not know.
4. They depend on the bank, the scammer will ask you to go to the bank and need your confirmation to “to receive ” price. ” THIS is where it goes downhill. The reason for this is you are actually giving confirmation that you are doing automated transaction”. – I will explain this later
5. next day..your money is gone.
Where did we go wrong?
I been spending time reading Schneier on Security, security people need to have a certain mindset, think of ways how things fail or like think like a criminal. So Here where thing went wrong.
1. the first step, how they get your info in the first place? Well many ways they can get it. like dumpster diving, get you info from phone bill you throw away. in my case most probably someone stole my bills. (no wonder it went missing). another way is they steal from paper like a survey you put for some company then it is taken from the company and use ur basic info such as Name and Phone number. Basically when you get someone phone number you can try call them. With luck they guess you have a applied for some service then it is good enough to social engineer.
2.Social engineering, need some social skills here. You need to sound like an authoritative person. Someone with power, and sometime someone sound rich. Well all they need to “attract” people say congratulation you get money! or Congratulation you are entitle to receive a life time of insurance, here some money!”. Now days people want easy money, when an offer like this is receive of course whey want it.
3. Once they grab hold of your card number, a lot of things can happen. Someone can use the number to d online transaction, buy stuff, transfer money any transaction that require credit card. I would guess this would be the bank vulnerability. Sometime these transaction is not authenticate from the card owner. They might assume that who using the card number is the person who owns it. (this was proven when my friend bought a laptop online)
4. As i said before, this happen because someone exploit the vulnerability of banks. I can see this as bank sometime have automated credit from account. A scammer can use this idea to automate debit money from someone account. A not so smart Scammer may just withdraw A whole bunch of money from Someone account. But a smart one will take a small amount from one person. This may not be a lot but imagine this. If a person take Rm10 from a person each month. But if there 1000 person, the scammer will get Rm10 000 per month.
As I say that how people can scam a person. If someone like me can come up with this scheme how about the more professional criminals? I am not trying to scare your pants off it not a new issue, it is kind of my way to help people to understand.